2015-11-04

Draft Investigatory Powers Bill

The draft bill has been introduced today and it is quite big, and will take some time to address all of the concerns. Do see Neil's comments as well. Here are just a couple of the concerns so far...

ISPs to generate new data and retain it!

At present it is possible for an ISP to be subject of an order requiring retention of certain data which it processes. This is data the ISP has, and it simply means the ISP has to keep it for 12 months. Thankfully AAISP has never been subject to such an order.

The new scheme seems to require an ISP to actually generate new data, Internet Connection Records which mean logs of the IP addresses and connections. This is a huge step - as an ISP we do not have that data or the equipment to generate or retain that data.

That data is also potentially very sensitive communications data - including details of every web site or service you ever access. Yes, the specific page on www.ashleymadison.com will not be logged, but the site you accessed would be.

Again, the scheme is based on an order to an ISP to retain data so may not extend to all small ISPs. The bill also provides options to challenge any such orders (73), which includes challenging the order on the likely cost and other effect of the notice on the operator (72). At A&A we are proud to state that we have no government snooping equipment or anything to collect and retain this sort of bulk data in our network. We have even made it a contract term that we will give 12 months notice when if we start doing this. Such an impact on our business must be considered as part of any order, as well as the proportionality and benefits of such an order. Of course the bill makes it a duty not to disclose the order - so it would be interested to ask what they want me to do when asked if we are subject to such an order. If you ask now I say no, we are not subject to an order. What is a concern is that, because the orders are secret, nobody knows what is actually being logged anyway!

Yes, they are talking about all sorts of safeguards on who can access this stored data and which data they can access, but that does not stop the fact that there is snooping in the first place.

There is a new definition of "content" of communication (which is not to be logged). It relates to the meaning of the communication itself. This could allow for deep packet inspection to unwrap L2TP, PPP and so on in back-haul carriers and so allow this monitoring to be done in BT or TalkTalk. One wonders if end users will be able to send DPA subject access requests to BT to get a copy of all such retained data.

But let us be clear - this is mass surveillance on everyone and holding that sensitive data in private companies (ISPs). With the recent Talk Talk issues, you can see that this is a concern. The data, even if just a list of web sites you have visited, is valuable to criminals and even marketeers! It will encourage much more sophisticated attacks, even infiltrating staff at companies, to get the data that the law will make ISPs retain.

And, of course, there is a cost to retaining all of this data. It is not a small amount.

iMessages safe?

The bill does not outlaw encryption or end to end encryption, it just leaves the same as now that a communications provider asked to intercept is expected, where possible, to provide data in an unencrypted form. Apple outside the UK do not have to take any notice of such a law, but if they wanted to, then they could change the keys on iMessage for an individual such that they can intercept. No idea if they would do so.

However, there are end to end encrypted messaging apps which do not make use of a communications provider's systems other than to pass the encrypted data, and such systems will clearly be both legal and safe - so if you respect your privacy (or are a criminal) you simply use such systems and the new law will not be an issue for you.

Will it get through?

The data retention directive was kicked out because it required logging of non-criminals data, so we can only hope this will fail too, but who knows. Talk to your MP!!!

Update: Best tweet I have seen on this:

All new computer science text books will have a chapter on how Alice and Bob can talk to each other without Theresa knowing #IPBill

19 comments:

Given that a lot of web sites exist on the same machine as others, for instance a.www-server.co.uk, there is going to be a lot of useless data for the spooks to shift through, and if, say AAISP happen to be hosting a site for Terrorists-r-us.co.uk, anyone visiting any site hosted there is a potential suspect.

I'm also wondering what happens when IPv6 addresses are fed into the governments systems; they haven't exactly gone out of their way to embrace the present.

Also, do they want the data at individual host level, or just target network? Some sites are served by multiple hosts in a network. Note to Teresa May; Today I have accessed many systems in 0:0:0:0:0:ffff::/96 which contains quite a lot of known terrorist sites.

(Notes that terrorists-r-us.co.uk is unregistered, but fully expects it to be hosted by aaisp shortly ;-)

What is regarded as a CSP? Anyone providing any internet traffic being an ISP or transient provider? So would my communication logged by my ISP, its transit traffic provider, then if the host is located in the UK again by the host pipe provider? This would massively duplicate records (and mostly useless for users behind CGNAT) but would impact plan to VPN everything to a host in a different country if at any point my traffic comes back in the UK.

Sect 193 is so wide in what a "communication" and a "telecommunication service" are that it sounds like roughly any entity in the UK is potentially a "communication service provider".

Wondering how much the government is ready to fork for records keeping? I can see myself providing communication to my children WiFi AP and charging the government.

But that would put me in a strange legal position, as parent I should be able to check my children internet habits, put as "communication service provider" do I have the right to snoop on my user data? Will I have to send a SAR to myself? Will the government cover the cost of such a SAR?

I would be more worried if I was a pub/hotel/cafe offering a free wifi service - typically it is a case for reading the wireless network key off a sign, or asking for it. The upstream ISP will have records, but the site itself will not be able to determine which of the many thousands of people made particular DNS lookups / accessed particular websites as these hotspots are typically a standard home router.

I'm not going to read the actual bill, just the guide (too much legalese for me), but there is one section (at least) which contradicts itself:

"45. An ICR is not a person’s full internet browsing history. It is a record of the services that they have connected to, which can provide vital investigative leads. It would not reveal every web page that they visit or anything that they do on that web page."

But then later on...

"Why do we need them?46. ICRs are vital to law enforcement investigations in number of ways. For example: ....

To establish whether a known suspect has been involved in online criminality, for example sharing indecent images of children, accessing terrorist material or fraud"

That isn't possible from the "ICRs"... is it?

The bit a little bit later on that section that mentions there being around 800 paedophiles they can't do anything about because they don't have the powers to investigate winds me up, especially as earlier on they cited the Ian Watkins case using existing powers to convict him, and others involved. If you know about 800 people why can't they use targeted methods to get their data? I would be behind that!

Well, you don't have to contrive that really. For an ISP that forces a proxy (as some mobiles may do), it is retaining some existing logs - big job, but not silly. For ISPs that shift packets, like us, it would be a nightmare of DPI to extract Host: fields in http or something and really quite complex and expensive.

If I use an encrypted VPN tunnel that I encrypt in my house and that exits in a foreign country, surely there is no way for any of this to affect me? The ISP or BT can't decrypt my private end to end VPN encryption.

Not much to pay.... Open a free tier Amazon Web Service account, terminate your favorite VPN tunnel on a tiny instance located outside of UK. But I wouldn't be surprise that if they look at your ICRs and see IPSEC (or other VPN) they might "ask" your ISP to route that traffic via GCHQ for storage (at least), that's probably part of the "facilitate interference" bit of the bill. But that once again only concern honest citizen that care about their privacy. Steganography being the way to go if you want to pass information discretely (but that's a notion that either Theresa May can't grasp or more likely is sure the vast majority of the public won't know).

Everything I write here is just my honest opinion and not a statement by my employer, etc, you get the idea. If you find any words or pictures menacing or offensive, or likely to impair your computer, or alarming or distressing, stop reading now and don't come back (and don't forget to block me on social media too). Nothing here is legal advice. Everything on this blog is without prejudice, just in case. Comments are moderated to weed out obvious spam, so do not appear instantly. You take responsibility for any comments you post. Always bookmark www.me.uk as I may change the URL blogger sees.

And please, if you don't like what I post, say so - comment - discuss...